Network Management

Reply
Occasional Contributor II

Packet Processer in aruba Introspect UEBA

1.Can anyone explain the need for Packet Processor in Aruba Introspect UEBA tool?

2.In absence of Packet Processor, how analyzer will process the data?

Capture.PNG

Re: Packet Processer in aruba Introspect UEBA

Packet Processor will provide L7 DPI analysis of the traffic. In absence of a Packet Processor, network flow information can be retrieved from firewalls, proxy servers, Aruba controllers (AMON) or Netflow.

 

As the Packet Processor has by far the highest visibility even in the data flows, that is the preferred way to get network flow information.

 

Please work with your local Aruba Introspect SE to get you more educated on the IntroSpect solution and architecture. The diagram you show is very limited as it misses a lot of other log sources.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor I

Re: Packet Processer in aruba Introspect UEBA

IntroSpect is made up of three Nodes. One Analyser Node, three or more  Compute Nodes and optionaly one or more Packer Proccessor Nodes.

 

The Analyser Node is a combination of Analyst / Admin interface and Network Device Interface. For this conversation lets focus on the Network Device interface.  The AN is able to use syslog to harvest logs from some devices and also receive logs from a SIEM like Splunk.  It also receives logs and Meta-Data from the optional Packet Proccessor. The AN then populates all this into the databases on the Compute Nodes.

 

The Compute Nodes hold, index and manipulate the databases - these are the workers that run the various AI and Machine Learning engines.

 

Now lets look at the Packet Proccessor. The PP is optional in that if you are only monitoring a single site and the AN/CN is at that site then all log collection can be done by the AN at the site.  You will need to add a PP at remote sites to collect logs at those sites and the PP will transfer the logs to the AN. However, there is one function of the PP does that the AN/CN will not do. You must have a PP for network traffic evaluation.

 

The Packet Proccessor has a Deep Packet Inspection engine (read resource hog here) for analizing network traffic and generating Meta-Data which is sent to the AN. So if you are going to take advantage of one of the most powerful tools in IntroSpect and analyse live network traffic YOU NEED A Packet Proccessor even in a Single Site Configuration.

 

I hope this helps

 

Kelly K
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: